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(54) Method and apparatus for the secure distritxitlon of encryption keys 

(57) Apparatus for transferring the encryption key in 
a secure way. to facilitate establishing a secure commu- 
nication link, comprises a key nnanagement device 
attaching to each user's encryption machine lor the pur- 
pose of key distribution, and a secure encryption key 
distribution center. A key management device is 
attached to each user's encryption machine, containing 
a list of secure communication partners and their 
respective encryption keys. The encryption key and 
other parameters are transfen^ed automatically to the 
encryption machine. The caJled machine receives the 
c-"-:^ iviiBrai^ication'ana the encrypti^o^^^ 
parameters are transferred automatically. The device 
displays to each user the true, reliable kientity of the 
other party. If the desired addressee data is not found in 
the local data list, tiie key management device connects 
a secure key distribution center. The communication 
with the key distribution center is protected by encryp- 
tion using tiie public key method. The key distribution 
center creates, for each user, a "certrfkate" which 
includes the user public key, user identification and 
issue date, all encrypted with the center's private key 
The certificate can be used to access a multitude of 
remote databases or other information services on an 
inregular basis, without the need to subscrbe to all of 
them. It may be also used for secure payment over inse- 
cure links using aedit cards and/or for caller klentifica- 
tion. The certificate method is used for flexible 
authorization schemes, to indicate changing time period 
of validity or authorizations/ permits. 
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Description 

The invention relates to safe public communication 
systems which include means for secure distrbution of 
the encryption key and the communication parameters, s 

Various devices and methods were devised for 
secure voice and/ or data communication for put)lic use, 
using analog or digital enayption means. Ck)mmon to 
the various encryption methods is the use of an encryp- 
tion key, which provides a higher level of protection 10 
together with flexibility and standardization. Public key 
encryption, by using separate encryption and decryp- 
tion keys, offers better protection for encrypted mes- 
sages. 

A public key ayptographic system and method was dis- is 
closed in Merkle-Hellman U.S. Patent No. 4,218.582; 
the RSA (Rivest- Shamir- Adieman) encryption system 
and method was disclosed in U.S. Patent No. 
4,405,829. 

With the proliferation of encryption machines in 20 
commerce and for private use, a situation arises 
wherein a user desires to establish a secure communi- 
cation link with another user having an encryption 
machine. 

The user poses a problem: How to exchange the 2S 
encryption keys In a secure way, to establish the secure 
link. If the key is compromised, then the whole commu- 
nication is conrpromised, and the encryption is useless. 
This is a vicious cirde. ance a secure link is required to 
transmit the key to begin with: but, since the other party 30 
doesn't have yet the key, the secure link cani be used to 
transmit the key itself. 

Furthermore, data communication systems face the 
dangers of eavesdropping and impersonation, with the 
associated risks of the key being irnercepted or ^'fa|se 
key being transmitted by an impersonator. Accordingly, 
means are required for secure key distribution, this 
being an essential requirement for the widespread use 
of encryption machines, that is for establishing a secure 
link between parties which had no previous secure com- 40 
munications therebetween. 

The security of the encryption process depends on 
the security of the encryption key. which depencte on the 
security of tiie key distribution means; tiierefbre. special 
means are required to provide a higher level of protec- 4s 
tion for the key distritxition means itself. 

A directory of public keys couki be used, but a fixed 
list cannot cope with the fast changing situation in this 
area, with new users joining continuously, users chang- 
ing address and users changing keys for better protec- so 
tion. 

Various attempts at solving the key dissemination 
problem were devised, for example PGP maintains a 
public sen/er containing a list of public keys. PGP server 
accepts and maintains a file with a collection of Identif i- ss 
cation packages (KeylD). Each identification package 
includes tiie name and details of a key holder, together 
witii his/her public key, whk:h are signed (authenticated) 



by a tiiird party which encrypts the package witii his/her 
private key 

Another party desiring to communicate such a 
key holder searches for an identification package 
signed by someone known/ accepted by them, thus 
"ensuring" that that is the true key which truly belongs 
to the person as claimed; the third party is 
"known/accepted" in tiie sense tiiat tiie caller believes 
that its encryption key pair are as claimed and are not 
conrpromised. Since any single third party may be 
unknown to the other party, said key holder submits a 
plurality of identification packages to the PGP server, 
each signed by a different tiiird party; another party 
looking for a reliable encryption key has to desiring to 
communicate with search all the packages belonging to 
tiiat key holder, until he finds one signed by a third party 
known to him. 

Thus, tiie PGP server maintains a file with a collec- 
tion of identification packages for a multitude of users, 
and with a plurality of packages for each user. Thus It 
may be difficult to keep this vast quantity of information 
to disseminate it to users. 

Anoth^ key dissemination method is employed by 
Verisign, which distributes digital "certificates" valid for 
a long time period, for example 5 years. 

A certificate includes the name and additional infor- 
mation for a user, together with the public key for that 
user and tiie expiry date of tiie certif k;ate. all encrypted 
witii tiie private key of the issuing autiiority. Another cer- 
tificate is issued to that first issuing autiiority by a higher 
second authority, and so on. This is a hierarchical 
authorization structure, with a user bringing signatures 
from persons/ entities at several levels, until a level high 
enough is reached which is also part of the hierarchy of 
'tiie callin^j party. 

A great effort is put into ensuring the identity of a 
user before Issuing a certificate, and in keeping the cer- 
tificates; however, a certificate once issued may be 
compromised during its long lifetime, in which case It is 
difficult to replace. The center has no control over the 
use of an Issued certificate while the certificate is still 
valid, during tiie long period as set at issue time; only 
the l>lack lisf at the center may give a waming to tiiat 
effect, but that can only prevent communications. A reli- 
able key has yet to be exchanged between the parties, 
which is difficult in this case. 

RSA Data Security Ina offers another system 
including a center which issues certificates, that Is dig- 
ital documents containing tiie name and details for a 
user, together witii his/her public key and an expiration 
date, all encrypted witii the private key of the center. 
The expiration date is a weak link for this system since, 
as the key approaches its expiry date, tiie chance of its 
being compromised increases, and more verification 
requests will be placed with the center. 

If a key is compromised, it is practically impossible 
to remove it from the server; PGP and RSA only keep a 
second list (the black list) of disabled or canceled keys, 
but this is a cumbersome and inefficient metiiod. 
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If the private key of the RSA or other similar centers 
is compromised, this results in a "catastrophe" , since 
anyone can impersonate other users. 

Another us^ of public key encryption is the PC Fax 
program package offered by Microsoft for the transmis- s 
sion of FAX messages. The FAX may be encrypted 
using a password or a digital key. Again, they face the 
same problem of reliable key dissemination. Microsoft 
advises to exchange diskettes containing the key. 
clearly a difficult to use method. A put>lic key can be 10 
exchanged by communication means, and again there 
is the problem of identifying the other party- how one is 
to know that the answering party is truly the person it 
claims to be. 

Caller identification Is a problem encountered in various is 
situations in the modern period of widespread use of 
global communications and information exchange. 

It is an object of the present invention to provide an 
apparatus and method for transfering the encryption 
key in a secure way, to facilitate establishing a secure 20 
communication link, comprising a key management 
device attaching to each user's encryption machine for 
the purpose of key distribution, and a secure encryption 
key distribution center providing the service of secure 
encryption key dissemination to authorized users. 25 

This object is achieved by a key distribution center 
as disclosed in daim 1 and by a method as disclosed in 
claim 5. 

According to one aspect of the present invention, 
there is provided a key management device attaching to so 
each user's encryption machine, containing a list of 
secure communication partners and their respective 
encryption keys and parameters. To initiate a secure 
link sesston. the user keys in the identification of the 
desired addressee;. If the details of ttiat addressee are" - 35 
stored in the comiminication partners data list tiien the 
encryption key and other communication parameters 
pertaining to that person are transferred automatically 
to the encryption machine, and the secure link is estab- 
lished. 40 

Likewise, if tiiis machine is accessed by anotiier 
user's device, then the other device transmits its identi- 
fication, and again tiie encryption key and otiier com- 
munication parameters are read from the list and 
transferred automatically to the enayption machine. 4S 
A display is used to cfisplay to each user the true, relia- 
ble identity of other party, as established during tiie 
secure link setup. 

According to another aspect of the present inven- 
tion. If tiie desired addressee data is not found in the so 
secure communication partners data list, then the key 
management device automatically connects a secure 
key distribution center, to get the encryption key and 
parameters for that addressee. This data is then trans- 
ferred to the encryption machine and is also stored in ss 
the local list for futjre use. 

According to a third aspect of the present invention, 
the communication with the key distribution center is 
protected by encryption using the public key method. 



The encryption key request is transmitted to the center 
after encryption with tiie center's public key; the center 
uses its private key to identify the inquirer and tiie 
addressee, and tiien transmits the desired information 
after encryption with the inquirer's public key. 

Thus, only tiie center knows who asked what infor- 
mation, tills preventing center impersonation; only tiie 
inquirer can decrypt the answer, thus an eavesdropper 
cant use the information. Furtfiermore. by providing 
only the public key of tiie desired addressee, a higher 
level of protection is achieved, since even if the key is 
compromised, the encrypted message using tiiat key is 
still protected, since the private key was not disclosed. 

According to a fourth aspect of the present inven- 
tion, a secure encryption key distribution center is dis- 
closed, performing the key distibution process as 
detailed hereinbefore, when addressed by a user's key 
dist-ODution device. Also disclosed is a system including 
a plurality of such centers, connected in a wide area 
network for fast updating of key Information so all tiie 
centers provide identical, updated information. 

According to a fifth aspect of the present invention, 
the key distribution center creates a "certificate** . that is 
a digital safe key/ identification package for each user 
The certificate can be used in an open link transaction 
between users for tiie secure link establishment. 
Each certificate includes tiie public key for a user, 
together witii identification information for that user and 
tiie issue date, all encrypted witii the private key of tiie 
key distribution center. 

The algoritiim is based on a public key algoritiim virhich 
is symmetrical with respect to the encryption and 
decryption keys, using package encryption witii the pri- 
vate (decryption) key of the key distribution center. 
Unlike oth«?r kf^y distribution systems, in- this^present 
irr«Gntion there is no need to keep focal lists of otiier 
users keys; during the link setup transaction, each party 
sends its certificate to immediately and reliably estab- 
lish its Identity. 

According to a sixth aspect of the present invention, 
the certificate can be frequentiy changed, to maintain a 
high level of security. This protects the information if tiie 
user's key is compromised, and also provides for easy 
recovery if the private key of the center itself is compro- 
mised; this is a catastrophic situation for otiier systems. 

According to a seventh aspect of the present inven- 
tion, the certificate can be used to access a multitude of 
remote databases or otiier information services on an 
irregular basis, wrtiiout tiie need to subscribe to all of 
tiiem. The method involves the user to present a certifi- 
cate issued to him by the center, including an authoriza- 
tion to access databases and an optional list of 
permitted operations tiierein. 

According to an eighth aspect of the present inven- 
tion, the certificate may be used for secure payment 
over insecure links, for example the Internet. The credit 
card information is protected from unautiiorlzed use by 
tiie seller or tiiird parties participating in Internet for 
example, by the inclusion of tiie credit card information 
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in the enaypted certificate, with that c^icate capable 
of being decrypted only by the authorized party, the 
credit card issuer for exanple. 

According to an ninth aspect of the present inven- 
tion, the certificate may be used for caller identification, s 
with the subsequent communication being either 
encrypted or not. Caller identification is implemented by 
the exchange of certificates as detailed. Applications 
include Caller identification may be benelicial in a wide 
variety of applications, for example telephone and fax. 10 
cellular/wireless phone, computer communications, 
remote control/ base station, access control. 

According to an tenth aspect of the present inven- 
tion, the certificate allows to implement flexible authori- 
zation schemes, for example its time period of validity is 
may be linvted as desired, according to application and 
circumstances. Another implementation is to include a 
list of authorizations or actions permitted for that user to 
do, or databases to access, or pemiitted operations in 
those databases. 20 

Thus, the present invention facilitates secure com- 
munications between users having encryption 
machines which had no previous secure communica- 
tions therebetween; furthermore, the invention provides 
protection for database services providers and tiiese 25 
services* users. t>y facilitating user authentication and 
selective (encrypted) data dissemination. Furthermore, 
the invention provides for reliable caller identification for 
encrypted or nonencrypted communications. 

Further objects, advantages and otiier features of 30 
the present invention will become obvious to those 
skilled in the art upon reading tiie disclosure set forth 
hereinafter. 

The invention will now be described by way of 
example aad with reference to the accompanying draw- 
ings in which: 

Figure 1 is a descr^on of tiie overall structure of 
the encryption key distribution system. 

Figure 2 details the key management device con- 
nected to a user's encryption machine for analog 
communications. 

Figure 3 Illustrates the key management device 45 
connected to a user's encryption machine for digital 
data communications. 

Figure 4 details tiie key management device sfruc- 
ture. 50 

Figure 1 illustrates an exanple of the overall struc- 
ture of the encryption key distribution system, a user 
encryption facility 1 conprises an encryption machine 
21 and a key nr\anagement device. 55 
Encryption machine 21 includes plaintext channel 21 1 
to communicate witii the local user. arKi dphertext 
channel 212 connected to anotiier user through a 



standard communication channel 213, using wired or 
wireless communication means. 

The key management device includes key manage- 
ment controller 314 and channel interface 41 . 
The operation of the system components will now be 
detailed, assuming the initiator is facility 1 and tiie 
addressee is user encryption facility 3. The user enters 
the details of tiie desired addressee through channel 
313. which may consist of a local keypad or a link to a 
computer. 

This is tine identification of the person or facility to 
establish a communication link with. If tiie keys for tiiat 
addressee are found in the local list in controller 31 4. as 
detailed below with reference to Fig. 4. tiien key setup 
channel 311 is used to ta^ansfer the encryption and 
decryption keys for tiiat addressee, together witii 
optional additional parameters from key management 
device 314, to encryption machine 21, said keys being 
subsequently used by encryption machine 21. 

The enayption and decryption keys consist of dig- 
ital bits or words in sa-ial or parallel form, usable for 
encryption or decryption using known methods like DES 
or public key algorithms like the RSA method. 

If the k^ for the desired addressee are not found 
in the local list, tiien key management controller 314 
automatically connects the secure encryption key distri- 
bution center 11 through key distribution channel 103, 
and sends an inquiry message asking for the public key 
for tiie addressee, facility 3 in tiiis example, the mes- 
sage being enaypted with tiie public key for center 1 1 . 
Key distribution channel 103 is a communication chan- 
nel used for that purpose. 

Center 1 1 decrypts tiie message, verifying the iden- 
tity of facility 1 in the process; the answer is sent to tacil^ 
ity 1. enrrvptsd with ths public J«ey for that facility. *Thw 
method used for facility 1 identification is detailed oelcw;';' 
see step 3b of the key distribution center 1 1 algorithm. 

Facility 1 can now access facility 3, to initiate a 
mutual identif k:ation and key and parameters setting for 
a secure comnrunication session. 
The communication path consists of control!^ 314, 
tiirough data initiation channel 312. encryption in 
nr^chine 21. through dphertext channel 212. channel 
interface 41 . communication channel 213 connected to 
communication channel 233 at fadlity 3, to channel 
interface 43. tiirough dphertext channel 232. decryption 
in machine 23. through data initiation channel 332, to 
controller 334. 

Key setup channel 31 1 is used in facility 1 during an 
initiating procedure before tiie abovedetailed communi- 
cations, to load the encryption and decryption keys in 
machine 21 from confroller 314. 
Similarly, channel 331 in fadlity 3 is used to load the 
encryption and decryption keys in machine 23 from con- 
troller 334. 

Channel interface means 41 includes means for 
performing functions as required by communication 
channel 213, like phone dialing, signal level control, 
impedance loading. 
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Interface unit control 812 is used by controiler 314 
to control the channel interface means 41 , according to 
the operating mode and link establishment stage, as 
detailed below. 

Facility 3 also includes plaintext channel 231. 
ciphertext channel 232 connected to communication 
channel 233. addressee details channel 333, interface 
unit control 832, key distrOsution channel 107. 

A secure encryption key distribution center 1 1 Is 
connected to a multitude of user encryption facilities, 
two of these being designated as 1 , 2 in Fig. 1 . 
Center 1 1 uses key distribution channels designated 
101. 102, 103, 104. Center 11 includes a (not shown) 
computer including a list of users with their respective 
public keys and other data: each user's phone nunrt>er 
and address, last update date, whether a dialer/ user 
automatic identification is to be performed. The compu- 
ter also controls the various activities in the center with 
the encryption machine, the channel interface and the 
local operator. 

The computer also includes an interface to operator 
(not shown) for status or warnings display, control and 
manual keys update. 

Channel interface means (not shown) in center 1 1 are 
similar to channel interface means 41 in facility 1 as 
detailed above, including means for performing func- 
tions as required by communication channels 101, 
110... like phone dialing, signal level control, impedance 
loading. Since center 1 1 is capable of connecting simul- 
taneously to numerous users, a channel interface hav- 
ing this capability is used, as known in the art. 

Encryption machine means (not shown) in center 
1 1 are similar to that in facility 1 . Faster, more powerful 
machines may be used for higher throughput 

FaciUty 2 comprises; ahcryptioh nfiachine^2 and'key 
management controller 324. with intalace ur^rr cor.lrol 
822, channel interface means 42. communk^tion chan- 
nel 223. data initiation channel 322. used in facility 2 to 
communicate with facility 1 or any other user. Facility 2 
also includes encryption machine 22. key management 
controller 324. plaintext channel 221 . ciphertext channel 
222. addressee details channel 323, key distribution 
channel 104. Channel 321 is used to load the encryp- 
tion and decryption keys in machine 22, from controller 
324. 

Likewise, k^ distirik>ution center 12 is connected to 
a multitude of user encryption facilities, like facility 3, 
using key distribution channels designated 105. 106. 
107. 108, 109. All the centers 11. 12, ... contain the 
same list of encryption keys. 

Inter-center links 1 1 0, 1 1 1 , 1 1 2 are used to connect 
the key distributbn centers for key data updates, using 
a digital, secure (enaypted) format. 
Thus, after a user updates his/ her key with tiie local 
center, the lists in all tiie centers are updated automati- 
cally, to provide updated information to all the system's 
Lsers. 

Thus, the abovedetailed apparatus and method for 
transferring tiie encryption key allow to establish a 



secure communication link between two faolities with 
encryption machines. 

Moreover, reliable identification of tiie parties to a new 
communication session can be performed, that is each 

5 party can ascertain tiie idaitity of the other party. The 
reliable kJentrf ication can be performed between parties 
which had no previous communications tiierebetween, 
the parties being strangers to each other and at sepa- 
rate locations. renK>tely located; the identification proc- 

10 ess uses the same data communication link as the data 
communication to be performed after the identification 
stage. 

Furthermore, each user equipment can include a 
key generation machine, tiiat is a processor which 

IS accepts a random number from the user and generates 
a key pair (a public key and a private key). Only the pub- 
lic key is transmitted to the center or otherwise dis- 
played; the private key is kept secret, inside tiie 
machine, and is only used to decrypt or encrypt mes- 

20 sages. 

This apparatus and method allow to generate new keys 
whenever the user so desires, and the private key is 
securely kept. 

Additional physical key protection means can be 
25 used, for example the key generation machine is 
mounted in a cellular telephone; the user personally 
keeps that telephone, thus ensuring that tiie private key 
is safe. 

For tiie use of the invention in a cellular telephone, 

30 another implementation is not to include the key pair 
generating machine in tiie telephone; the user can go to 
a cellular telephone company center to compute there 
and load new keys, for example by connecting to termi- 
nals in that center. 

35 r ; Another, implementatirn^^sss an axr5.T.aJ kefxien- 
erating machine carried by a cellular telephone repre- 
sentative. The machine has the processing ability 
required for key generation, but has no internal memory 
to keep the generated keys. Thus, the machine is con- 

40 nected to a cellular telephone, it generates tiie key pair 
and transfers tiie keys to tiie cellular telephone. 

Since the machine cannot keep the keys, only tiie 
user of that cellular telephone has the key pair, tiius tiie 
keys cannot be compromised even by the telephone 

45 company personnel. 

This metiiod for user authentication and selective 
data dissemination can be used in financial ti'ansac- 
tions, for example to pay with credit carcte through inse- 
cure links, and where the payee himself may be 

50 unreliable as well. An unreliable payee cannot make 
unauthorized use of the information in the card, since 
tiiat information is encrypted and is not available to him/ 
h«*. 

The metiiod can be used to establish cellular phone 
55 links, while preventing an impersonator from stealing 
phone communication rights from the legitimate t^e- 
phone owner. The method can be used as well to pro- 
tect wireless remote control devices (for exannple car 
locks or garage openers). 
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The operation of the key management device was 
described in the context of the whole secure communi- 
cation system. 

The algorithm for each of the system components 
will now be detailed, assuming the addressee is user s 
encryption facility 3 comprteing an encryption machine 
23, key management controlla' 334 and interface 43. 
These algorithms are executed concurrently or sequen- 
tially. 

The algorithm for connection initiating device 314 io 
comprises the following steps: 

1a. Device 314 receives the addressee 3 details 
through channel 313 

2a. If the addressee 3 details are found in the local is 
list, then: the encryption and decryption keys are 
transferred to machine 21 through channel 311; 
jump to step 7a (No need to contact the key distri- 
bution center 11) 

3a. The desired addressee 3 details, together with 20 
identification details for facility 1 and a group of ran- 
dom bits, are encrypted using the put>lic key for key 
distribution center 1 1 to form an inquiry message. 
Communication channel 103 is established with 
center 11, and the encrypted inquiry message is 25 
send to center 1 1 (wrhich then perfornns steps lb to 
5b and 7b, or lb to 3b and 6b, 7b, as detailed 
below) 

4a. The answer from center 1 1 (step 5b there) is 
decrypted using the private decryption key for fadl- 30 
ity 1 . That answer contains the public key for the 
desired addressee 3 and the group of random bits 
sent to center 11; 

5a. If the received group of random bits are not 
identical-^to' the transmitted random graip, then 35 
jump to step e>a (Answer from impersonator); other- - 
wise the answer is accepted as legitimate, then: the 
public key contained therein is transferred to 
machine 21 through channel 31 1. together with the 
private key for facility 1 ; update kx:al keys list with 40 
the key received from center 1 1 ; jump to step 7a 
6a. Display message: Failure to get public key for 
desired addressee: Stop 

7a. Prepare an initial message for fadlity 3, conv 
prising data identifying facility 1 and a group of ran- 45 
dom bits, encrypted with the public key for facility 3 
8a. Use channel interface 41 to access facility 3 
through chann^ 213, which is connected to chan- 
nel 233 at facility 3. Send initial encrypted message 
to facility 3 (facility 3 performs then steps 1 c to 9c or so 
part of tiiese steps, according to its algorithm 
detailed below) 

9a. Caller/ addressee identification: Receive mes- 
sage from facility 3, deaypt with the private key for 
facility 1 , extract tiie group of random bits sent to ss 
facility 3 and compare with the group sent; if not 
identical, then jump to step 10a; othenwise: encrypt 
the received random bits generated in facility 3 with 



the public key for facility 3 and send the encrypted 
message to facility 3; jump to step 1 la 
10a. Display message: Addressee identification 
failed; Stop 

11a. Display message indicating successful link 
establishment; End 

The algoriti^m for key distrit>ution center 1 1 com- 
prises the following steps: 

1b. Distribution center 11 receives encrypted 
inquiry message from facility 1 tiirough channel 
103, together with automatic dialer identification 
data received 

2b. The message from facility 1 is decrypted using 
the private decryption key for center 1 1 . 
3b. Hie inquirer identification contained in tiie mes- 
sage is compared with the automatic dialer identifi- 
cation data received. If in disagreement, then junrp 
to step 6b 

4b. Compile an answer message comprising the 
desired addressee public key and the group of ran- 
dom bits received; encrypt using the public key for 
facility 1, that key being stored in the center 11 
database together with the other encryption (public) 
keys 

5b. Send the encrypted message to facility 1 ; jump 
to step 7b 

6b. Display warning message: Illegitimate access 
event 

7b. Store details of transaction for optional future 
audit; End 

The algoritiim for the addressed device 334 com- 
prises the foilowinn steps: ""-^^-'^^^ 

1c. Controller 334 recdves an initial message 
through channel 233, int^ce 43. channel 232, 
decrypted in machine 23, tiirough data initiation 
channel 332; tiiis is the initial message from facility 
1. The message is decrypted with tiie private key 
for controller 334, to extract the message including 
facility 1 identification and the random bits group; 
2c. If the details for facility 1 are found in tiie local 
list, then: the encryption and decryption keys are 
transfenred to machine 23 through channel 331; 
jump to step 7c; 

3c. The facility 1 details are encrypted using the 
public k^ for key distribution center 12. together 
wrtii identification details for facility 3 and a group of 
random bits. Communication channel 107 is estab- 
lished with center 12, and the encrypted message 
is send to center 12, similar to the akxjvedetailed 
facility 1 inquiry of center 1 1 ; 
4c. The answer from center 12 is decrypted using 
the private decryption key for facility 3. That answer 
contains the public key for facility 1 and tiie group of 
random bits sent to center 1 2; 
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5c. tf the recerved group of random bits are identical 
to the transmitted random group, then: the answer 
Is accepted as legitimate; the public key contained 
therein is transfen^ed to machine 23 through chan- 
nel 331 , together with the private key for facility 3; 
update local keys list with the key received from 
center 12; jump to step 7c 
6c. Display message indicating failure to get public 
key for facility 1; Stop 

7c. Caller/ addressee identification: Conrp'le a 
group of random bits, add to the random bits 
received from facility 1 and enaypt using the public 
key for fadlrty 1 ; send the message to facility 1 
through interface 43 and channel 233; receive the 
answer from facility 1, decrypt with the private key 
for facility 3, and compare with the initial group sent; 
if identical, tiien jump to step 9c 
8c. Display message: Caller identification failed; 
Stop 

9c. Display message indicating successful link 
establishment; End 

For performing these algoritiims and related func- 
tions, each fedlity of initiator/ addressee can perform in 
one of the following modes of operation: 

1. Initiate clear link communications with anotiier 
facility 

2. Initiate encrypted link communications wrtii 
another facility 

3. Accept clear link establishment with another facil- 
ity 

4. Accept encrypted link establishment wrtii anotiier 
facility 

5. !r.iti«ts encr^jvled link with ksydistributionxenter'; 
togelotiier'skey 

6. Initiate encrypted link with key distribution center 
to update own key 

recording in the center's list 

7. Key update: prepare pair of keys; update both in 
local lists; send only publk; key to center. 

8. Key input tiirough [locaQ keypad, barcode reader, 
tape reader, magnetic tape reader, voice, anotiier 
serial communication channel like RS-232 9. Key 
input from another facility, when that facility 
changes its keys and sends the new public key to its 
known addressees (according to the local keys list 
of ttiat facility) 

The abovedetailed algoritiims. being implemented 
by the key dista'ibution channel, the communicatbn initi- 
ator 31 4 and the addressee 334, provide the benefit that 
the communication with tiie key distritxjtion centers 1 1 , 
12 is protected by encryption using tiie public key 
method. 

Thus, the encryption key request is t^nsmitted to the 
center 11 after encryption with tiie center's public key, 
such tiiat only the center 1 1 can deaypt the message 



using its private key, to identify the inquirer 314 and tiie 
addressee 334. 

Safe communications are achieved since only after 
inquirer authentication, center 1 1 transmits ttie desired 
5 information after encryption witii the inquirer 314 public 
key 

Thus, only the center 1 1 knows who asked what 
information, this preventing center impersonation; only 
the inquirer 314 can decrypt the answer, thus an eaves- 
10 dropper cant use the information. 

Furthermore, by providing only the public key of the 
desired addressee 334, a higher level of protection is 
achieved, since even if the key is compromised, tiie 
encrypted message using that key is still protected, 
15 since tiie private key for 334 was not disclosed. 

Additionally, a secure encryption key distribution 
center 1 1 structure and operation was disclosed for per- 
forming tiie abovedetailed key distribution process. 

Rg. 1 also details a system including a plurality of 
20 such centers, detailed as 11, 12 tiiere, connected 
tiirough links 110, 1 11 , 1 12 in a wide area network for 
fast updating of key information. 

Fg. 2 details the stiuctijre and operation of a key 
management device connected to a user's encryption 
25 machine 21 for analog communications. 

The key management device conprises controller 
314, dialer/modem 315 and data switch 51. 
Controller 314 receives tiie details of tiie desired 
addressee through channel 313. and scans a list of 
30 known communication partiers in its internal memory 
(not shown). 

if tiie keys for tiie desired addressee are not found 
in the local list, then controller 314 automatically con- 
nects the secure encryption key distribution ^rtter 

T'35''^using dialer;rnodern o15, Jirouyh rliniiiiw o^6"*"oi«r 
* cnannel103. 

The illust-ated implementation uses a modem/dialer 
315 having two outputs. Controller 314 includes digital 
encryption means (not shown) for secure communica- 

40 ton wrtii the key distribution center through channel 
103. 

Data switch 51 connects the key management 
device channel 317 to communication channel 213 dur- 
ing the secure link setjp stage. 
45 During tiie subsequent communication stage, switch 51 
connects encryption machine 21 to communication 
channel 213. 

Controller 314 performs tiie stages of the secure link 
establishment and controls tiie state of switch 51 
50 according to tiie abovedetailed algorithms. Channels 
211, 212, 311 were already detailed, with reference to 
Fig.1. 

Fig. 3 details the stucture and operation of a key 
management device connected to a user's encryption 
55 machine 21 for digital communications. The key man- 
agement device comprises controller 314, dialer 315A 
and data switch/ matrix 61 . 

Controller 314 receives tiie details of tiie desired 
addressee tiirough channel 313, and scans a list of 
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known commuracation partners in its internal memory 
(not shown). 

tf the keys for the desired addressee are not found 
in the local list, then controller 314 automatically con- 
nects the secure enayption key distribution center (not 5 
shown) using dialer 315A, through channels 316, 317 
and 103. This implementation ises a dialer 315A hav- 
ing one output. Controller 314 uses digital encryption 
machine 21 for secure communication with the key dis- 
tribution center through channel 103, using plaintext io 
channel 31 1 and ciphertext channel 212. 

Data switch/ matrix 61 connects channel 212 to 
channel 103 for communication with the key distribution 
center; It connects channel 212 to channel 213 during 
the secure link s^up stage and during the subsequent is 
secure communicatbns session. 

To establish a link with the key distribution center or 
with the addressee facility, switch 61 connects dialer 
31 5A to channel 1 03 or channel 21 3 respectively, under 
controller 314 control. Controller 314 performs the 20 
stages of the secure link establshment according to the 
atxivedetailed algorithms. The operatton of channels 
21 1 , 312 was already detailed. 

Fig. 4 details another implementation of the key 
management device, for use with an analog encryption 25 
machine without dialing capability nor digital communi- 
cations capabilities. A telephone dial line 103A is used 
both for communications with the key distrit)ution center 
and the desired addressee. The key management 
device conrprises controller 314, dialer 315A, end- 30 
pherer 318, decipherer 319 and data switch/ matrix 61. 
Controller 314 receives the details of the desired 
addressee through channel 313. 

If the keys for the desired addressee are not found 
1;. the local list, then -controller 314 automaticaliy'con- 35 
nects the secure enci*vption key distribution center 
using dialer 315A, through channels 31 5B, 315C and 
1 03A. Controller 31 4 uses digital encryption means 31 8 
and decryption 319 for secure communication with the 
key distribution center through channel 103A. 40 

Data switch/ matrix 61 connects channel 382 or 392 
to channel 103 A for data communication with the key 
distrbution center or the addressee; it connects channel 
1 03A to channel 31 5C during the dialing period. 
Data switch/ matrix 61 operation is controlled by control- 46 
ler 31 4 through channel 341 . 

Controller 314 performs the stages of the secure 
link establishment according to the abovedetailed algo- 
rithms. After the successful link establishment, control- 
ler 31 4 transfers the encryption and decryption keys to so 
the encryption machine to be used for the secure com- 
munication session, through channel 311, then sets 
switch 61 to connect ciphertext channel 212 from the 
encryption machine to communk:ation channel 103 A. 
Controller 31 4 uses channels 381 and 391 to connect to ss 
encryption means 318 and decryption means 319 
respectively 

There are a wide variety of applications for the 
abovedetailed key distribution system. 



For example, in datat^ase systems, the enayption 
protects both the database and the user; by using 
encryption, us& authentication can be performed, thus 
controlling Information d^ribution only to qualified 
users. Moreover, the encrypted information can only be 
i^ed by the legitimate customer. This also protects the 
legitimate user from unjustified bills resulting from an 
impersonator using tiie database. 

Various implementations of the abovedetailed sys- 
tem will become apparent to persons skilled in the art. 
For example. Fig. 1 details a system implementation 
using separate channels for key distribution (103) and 
for communications with another user (213); a different 
implementation nrmy use the same channel for both pur- 
poses. 

Communication channels 213, 103, .. may consist 
of fixed links set up for that purpose, like point to point 
wired connections or wireless links at predefined fre- 
quencies, or of temporary links like phone dial connec- 
tions set up specifically for the designated functions and 
disconnected after tiie communication session comple- 
tion. The channels 212. 103... may then contain the tel- 
ephone exchanges, wiring, wireless components and 
multiplexers and/ or related components of the phone 
system known in tiie art. 

Communication channels 212, 103, .. may consist of 
wired and wireless links, like satellite or cellular commu- 
nications, LAN or WAN systems. 

Various algorithms implementations will occur to 
persons skilled in tiie art, for example in case of link 
establishment failure and key obtained from local list; 
tiien a key inquiry procedure is initiated with center 1 1 , 
since tiie addressee details in the local list may be 
obsolete; the key from center 1 1 is compared with the 
key ip.the local list; n > .wi idei^iwat, then: update tocui 
try again to estatilisli link. 

A procedure to update encryption keys nnay be peri- 
odically initiated at each facility, tiie procedure compris- 
ing key pair computation, local list update and sending 
the public key to center 11 through a secure link and 
using a secure procedure: optionally, the new key may 
be transmitted to tiie known addressees as found in tiie 
local list. 

In another implementation of the abovedetailed 
system operation, open communications (not 
encrypted) and without self identification, are used to 
inquire the center about tiie desired addressee's key 
and to receive tiie center's response. 

The danger of impersonation or disinformation by 
tiie center or the addressee are minimal, since tiie 
center doesnl know the identity of tiie inquirer, so no 
selective attack can be performed, against a specific 
facility; if a false key is given, th's will only result in the 
authentic addressee not being able to respond; tiiere- 
fore the handshake will fail and the communications will 
not take place, thus preventing the protected data from 
being transmitted to an undesired destination. 

In another implementation of the present invention, 
key distrftxition center 11 creates a digital safe key/ 
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identification package, as detailed below. The method 
L^es a symmetrical put)llc key algorithm, that Is either 
the encryption or the decryption key can be used for 
message encryption, with the other key being used for 
decryption. s 
A user, for example lacility 1. inquires the center 11 
about its own (facility 1) public key; center 1 1 responds 
with a message including facility Vs name and key. all 
encrypted with the private key of center 1 1 . 

New, anyone can open that message with the pub- io 
lie key of center 11. since the encryption algorithm is 
symmetrical; but it is very difficult to create a false mes- 
sage, since the center 1 1 's private key, which was used 
to create the message, is unknown to the public. 

Facility 1 can transmit that encrypted digital mes- is 
sage "as is" to a desired addressee, facility 3 for exam- 
ple, to say in effect "I daim to be facility 1, and this is 
truly my public key, as attested by the center 1 1 which is 
known and accepted by both of us". Facility 3 opens the 
received digital message with the known center's public 20 
key, thus ensuring that the public key for facility 1 is that 
as claimed. 

In case the digital message is Intercepted by an 
impersonator and subsequ^tly used for communica- 
tion with facility 3 for example, the communication hand- 25 
shake will fail since the impersonator will not be able to 
decrypt the answer from facility 3. since it doesnl pos- 
sess the facility 1 *s private key 
Because of this added protection, an open link (not 
encrypted) can be used by any user to ask the center 1 1 30 
about its own or any other user's public key; the center's 
response, the encrypted message, can be used in an 
open link with another user to establish a secure link 
between any two users. 

With each user storing a digital mesisage including "^'' 35' - 
the encrypted center's answa- regarding its own public 
k^. no further communications with the center 1 1 are 
required nor a list of other users has to be kept, in order 
to establish secure communications therebetween: 
Each user serrds to the other its own Identification, the 40 
encrypted message from center 1 1 containing its own 
public key; each user decrypts the received message 
with the known center's public key. and each user is 
sure that that is the true key of the other. That public key 
is then used for subsequent communications hand- 4s 
shake and data transfer. 

The encrypted response message sent from center 
1 1 may contain the response date and time, in addition 
to the key and the key user's identrfk:ation. 
That date and time may be used to ensure that an so 
updated key (not obsolete) is used. 

Advantages of the abovedetailed method: the 
center can be accessed on an open line (not 
encrypted), without self identification. This protects from 
disinfonnation by an intruder at the center. For example, ss 
a fraudulent center operator or a fraudulently inserted 
routine may wait for the inquiries of a specific user, and 
respond falsely only to selected users which they desire 
to attacK for maximum damage and difficulty of detec- 



tion. By using open inquiries, without self identification, 
this danger is minimized. 

Various key management device implementations 
will occur to persons skilled in the art. like using a DIP 
switch or solid state memory fa the encryption key set- 
ting, or a link to a personal computer. Solid state mem- 
ory devices may include EEPROMs, flash memory. 
CMOS RAM or other device known in the art Conput- 
ing mear^ n^y be used to compute new encryption 
keys or key pairs for public encryption. 

A plug-in device may contain the keys, which device 
may be programmed at the key distribution center, then 
inserted by the user in the key management device; this 
ensures easy key updates as required, together with 
good physical protection. For example, the plug-in 
device may be kept in a safe while not in i^e. 

Each user equipment can include a key generation 
machine, that is a processor which accepts a random 
number from the user and generates a key pair (a public 
key and a private key). Only the public key is transmitted 
to the center or othenA^ise displayed; the private key is 
kept secret, inside the machine, and is only used to 
decrypt or encrypt messages. Th^ apparatus and 
method allow to generate new keys whenever the user 
so desires, and the pxrivate key is securely kept 

The random number from the user is optional; 
where desired, an internal random numbers generator 
can be used, or a tme- related number may be used to 
generate the key pair. 

The method for use of the equipment including the 
key generating machine will now be desaibed by way of 
example. 

The method used for the initial key pair generation: 

'"Id. Thf is rfiveti lhe wquipinent, ryi w«^^lti* 
the cellular telephone or remote control unit at an 
authorized distribution center; the user Is physically 
Identified there, for example by means of an identi- 
fication card or driver license. Thus, the center is 
sure that the equipment was delivered to the per- 
son which is supposed to receive it 

2d. The equipment is activated to generate an 
encryption key pair, that is a private key and a pub- 
lic key. The private key is never displayed or trans- 
mitted, but is only kept inskie the equipment. The 
public key is displayed and/ or transmitted by a dig- 
ital channel to the center; 

3d. The user- related infbmiation is registered (writ- 
ten) in memory means in the center, that informa- 
tion including the user id^itifieation details and the 
public key generated as detailed in (2d) at»ove; and 

4d. Anyone can now ask the center what Is the pub- 
lic key of that spedf ic user, and the inquirer will be 
given a reliable answer, that is encrypted with the 
center private k^, that that indeed Is the public key 
for the user as asked; the user can ask atx)ut his 
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own key, and will be given a reliable, encrypted 
answer as well. 

Another implementation of (2d) above, for use in a 
cellular telephone, consists in using facilities in a cellular s 
telephone company center to compute and load new 
keys, for example by connecting to terminals in that 
center. 

Still another Implementation of (2d) above uses an 
external key generating machine carried by a cellular 10 
telephone representative. The machine has the 
processing ability required for key generation, but has 
no internal memory to keep the g^erated keys. Thus, 
the machine is connected to a cellular telephone, it gen- 
erates the k^ pair and transfers the keys to the cellular 15 
tdephona 

The method used for subsequent key pair update: 

1& The user connects the center and identifies 
himself, that including the following steps: He/ she 20 
receives a random data bk)ck from the center, 
encrypted with user's public key; the user decrypts 
that message with his private key and encrypts it 
back with the center's public key; the enaypted 
message is sent back to the center; the center 25 
decrypts the message with center's private key and 
verifies that indeed the received message is identi- 
cal with the transmitted message, this being proof 
of user's identity; 

30 

2& The equipment is activated to generate an 
encryption key pair, that is a private key and a pub- 
lic key The private key is never displayed or trans- 
mitted, but is only kept Inside the equipment. The 
public J<ey is encrypted with center!? public key and 
is transmitted by a digital communication channel to 
the center; 

3& The center decrypts the message with its pri- 



This method ajiows for a distributed center struc- 
ture, with small local centers for user keys initial setting so 
and subsequent updata Each local center then trans- 
mits the updated public key to the regional or worldwide 
center. 

Another inrplementation of (2e) above uses an 
external equipment to compute and bad the key pair 55 
into the cellular telephone, as detailed in connection 
witii step (2d) above. 

Another variation of (2e) above woukJ be to tiie user 
to encrypt the new key with that user's otol private key, 



then the center using the old user's public key to decrypt 
it 

Still another variation of (2e) would be to the user to 
send the new public key wltiiout any encryption at all, 
since the public key is not secret. 

If the equipment containing the private key is lost, 
tiie system security is preserved by the following 
metiiod: The user, as soon as he detects the equipment 
loss, notifies the center accordingly The center then 
records that that user's public key is obsolete, and any 
other user asking for that user's public key will be noti- 
fied accordingly 

The user can load a new key pair while he reliably 
identifies himself, for example as detailed in method 
(Id) to (4d) above. 

An optional watchdog drcurt can be attached to the 
private key memory means. If a predefined time limit is 
exceeded without the equipment being used or updated 
from center, then it is assumed that the equipment was 
lost, and the private and/ or public key is destroyed. 

The user equipment may include a complete mes- 
sage from center, tiiat message including (user's name; 
user's public key; expiry date or last update date) all 
encrypted with center's private key This allows the user 
to identify himself for safe communication purposes, as 
detailed above. The user can update his public key witii 
tiie center anytime he desires, for example if he sus- 
pects tiie previous key was compromised; an impostor 
having a copy of the old message from center will not be 
able to use the old copy subsequent to that public key 
update. 

if unauthorized attempts at reading the private key 
are detected, then the private key is destroyed as well. 
Additional physical key protection means can be used,.^ 
for example tiie toy geheraJon rtiachine is. mounted tiTsr 
cellular telephone: the user personally keeps tiiat tde- 
phone. thus protecting tiie private key 

This method for user authentication and selective 
data dissemination can be used in financial transac- 
tions, for example to pay with credit cards tiirough inse- 
cure links, and where the payee himself may be 
unreliat}le as well. 

A method to achieve that goal is as follows, for example 
while User desires to buy an article from Seller, and to 
pay using his credit card, for example Visa: 

1f. User decides on the article to buy and finds its 
price; 

2f. User encrypts the information (Seller details; 
article price; User credit card number and expiry 
date) with the Visa public key; 
3f. User serxis his/her order to Seller, including the 
encrypted infbmriation as per (2f) together with tiie 
nonencrypted information, including ( Seller details; 
desired article details and price; User details, like 
name and address); 

4f. Seller encrypts the whole message as per (3f), 
including tiie clear and tiie encrypted parts, with 
Visa's public key and sends it all to Visa; 



10 



15 



vate key, thus reliably receiving the new, update 40 
user's public key; and 

4e. The new. updated user- related information is 
registered (written) in memory means in tiie center, 
that information including tiie user identification 4S 
details and tiie public key generated as dialled in 
(36) abova 
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5f. decrypts the message using rts private key 

once or twice as required, verifies the integrity of 

the whole message and checks User's aecfit. and 

prepares a sales authorization message; 

61 Visa encrypts the sales authorization message 

witii the private Visa key or seller's public key and 

sends tiie message to Seller; and 

71 Seller decrypts the message with Visa pM\c key 

or his private key according to the key used at 

encryption, thus receiving a secure, provatsle and 

untamperable with authorization to that sale. 

The abovedetailed method offers the following ben- 
efits: User's credit card details (card number, expiry 
date) are protected from eavesdroppers on the commu- 
nication channel and from Seller, since these details are 
encrypted with Visa's key, which only Visa can read; 
thus, no unauthorized use of User's card information 
can be made. Seller cant tamper with the price, since 
Seller has no access to the encrypted sales price data. 
Seller can prove that he received Visa approval for that 
sale, since only Visa can encrypt that autiiorization 
message with Visa's private key 

In another variation, User encrypts the information 
sent in (3f) above with Seller's puttie key. to ensure no 
unauthorized person can read the order details at all. 
Only Seller can decrypt the information and read it 
using his private key. tiius preserving the information 
integrity on one hand, and providing proof that Seller 
received User's order on the other hand. 

User can save Seller the effort to connect Visa to 
verify User's aedit, as follows: User connects Visa 
before buying from Seller, and ask for a credit verifica- 
tion; Visa sends a package to User, including (User's 
details; credit approval and/ orx:redit limit; time and date 
stamp) ail encrypted with Visa's privute key; User sends 
that package to Seller; Seller opens the package with 
Visa's public key. tiius accepting Visa's approval for tiie 
sale. 

This method can be used to implement a d^t or 
money card, since each time a sale is authorized, Visa 
deducts the amount of that sale from that user's credit, 
until a limit is reached and no sales approvals are 
issued thereafter. 

For regular plastic credit carcte, tiie information 
recorded on the magnetic stripe may be encrypted as 
well, to protect the Information in tiie card. Encryption is 
done using Visa's put>lic key for example. The reason is 
that the infbrntation is passed to Visa anyway for 
approval and payment to seller, and only Visa actually 
needs tiie information stored in that card. H is safer that 
the information in the card should not be displayed to 
seller nor be stored in seller's data storage mears. 

That approval service may also be performed by an 
independent services provider, for example an insur- 
ance firm; that firm can offer insurance and approval 
services, with fees varying according to the update/ver- 
ification rate: if more frequent verifications are made. 



tiien a lower fee may be asked for, since the risk is 
lower. 

The method can be used to establish cellular phone 
links, and to protect wireless remote control devices, for 

5 example car locks or garage openers. For that purpose, 
the cellular local center (or the garage) sends an 
encrypted message to User; user decrypts it vinth his 
private key, tiius proving his identity; this reliable identi- 
fication method thus prevents unauthorized use of cellu- 

10 lar telephone services by an inrpersonator; similarly, a 
garage opening device or a wireless car lock system 
can be protected from unauthorized use. 

Thus, reliable identification of the parties to a new 
communication session can be performed, that is each 

15 party can ascertain tiie identity of the other party. The 
reliable identification can be performed between parties 
which had no previous communications tiierebetween, 
the parties being strangers to each other and at sepa- 
rate locations, renKStely located; the identification proc- 

20 ess uses the same data communication link as the data 
communication to be performed after the Identification 
stage. Tiie abovedetailed secure communication 
means can also be used for fax communications as 
well. 

25 The abovedetailed system and method allow a per- 
son on the move to establish secure communications 
with another person, from anywhere to any place on the 
globe. 

Various data communication means can be used, for 

30 example telephone lines, radio wireless, noncontact 
means like ultrasound or magnetic or capacitive. Acous- 
tic couplers can be used to connect to a telephone line 
without disconnecting the telephone or the lines, but 
tiirough the telephone microphone and speaker, like 

35 that usad in mocf&ms. 

Magnetic induction means may be used to connect 
to the telephone lines, for example using a ferromag- 
netic loop placed around a telephone wire; a second 
winding on tiiat fenomagnetic loop generates alterna- 

40 tive signals, which are induced in the telephone lines 
witiiout disconnecting these lines. The alternative sig- 
nals contain the desired information to be transmitted. 

Similarly electrical signals may be induced into a 
magnetic card reader in a way similar to that used by tiie 

45 credit cards; again, the altemative signals contain tiie 
desired information to be transmitted. 

The key management device contains a connector 
for connecting a plug- in device containing the enayp- 
tion key storage means; the plug- in device contains a 

50 corresponding connector and a nonvolatile memory for 
storing the key while being disconnected from the key 
management device. 

This allows for the key to fc>e tran^rtable, to be candied 
to tiie center for programming, or for being kept in a safe 
55 place. 

According to the staucture and capabilities of 
encryption machine 21. machine 21 may be used to 
encipher/ decipher messages witii center 1 1 and key 
setup messages with facility 3, or additional encryption 
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means in controller 314 may be used for that purposa 
Therefore, the key detribution device can use the 
encryption and dialing facilities of the existing encryp- 
tion machine, or these features may be incorporated in 
the key management devica 5 

The device may include a "CLEAR/SECURE" 
switch, which is set by the user to start controller dialing 
and secure communication establishment. 

The secure communication device can include a 
display, for communication related data and the details 10 
of the partner to the communication session. Thus, after 
secure key exchange and secure communication link 
establishment, each party can see the name and details 
of the other party; each party can thus ensure that he is 
speaking with the desired person. is 

Various means for key distribution center 1 1 can be 
used, like automatic dialer identification, together with 
said dialer information being stored in the distribution 
center for comparison with the actual reading. This fea- 
ture may be optional, to also support users which doni 20 
have this capability or where the calls pass through a 
switchboard. 

A free key distribution service can be provided to 
qualified users, tike the use of a 800 number in the 
U.S.A., or an 1 77 numt)er in Israel. 25 

Suitable means are required to protect the center's 
public key. One possbility is frequent key changes, and 
public notification, for example by proper publications 
such as BBS' or other data bases. 

Center 1 1 may comprise a centralized structure 30 
with one large computer with communication to remote 
locations, or a distributed secure network of local cent- 
ers, with countrywide or gtobal total coverage. 

The method of operation of the center in the 
' present invention will now be detailed in corriparison ss 
vitii bXt&ting key dissenination centers. 

PGP key management: PGP maintains a public 
server containing a list of public keys. PGP server 
accepts and maintains a file with a collection of Identifi- 
cation packages (^ID). Each identification package K 40 
includes the name and details ol a key holder A, 
together with his/her public key, which are signed 
(authenticated) by a third party B which encrypts the 
package with his/her private key 

Another party C desiring to communicate with a key 4s 
holder A searches for an identificaton package K 
signed by someone known/ accepted by them, thus 
"ensuring" that that Is the true key, which truly belongs 
to the person as claimed; the third party is 
"known/accepted** in the sense that B believes that its so 
encryption key pair are as claimed and are not compro- 
mised. 

Since any single third party B may be unknown to 
the other party C. key holder A submits a plurality of 
identification packages Ki. each signed by a different ss 
third party Bi; another party C desiring to communicate 
with B searches all the packages Ki belonging to A. until 
he finds one signed by a third party Bj known to him. Bj 
is the "common acquaintance" to A and C. 



Thus, the PGP server maintains a file with a collection 
of identification packages for a multitude of users, and 
with a plurality of packages for each user Thus it may 
be difficult to keep this vast quantity of information to 
disseminate it to users. 

Another key dissemination method Is employed by 
Verisign, which distributes digital "certificates" valid for 
a long time period (for example 5 years). A certificate 
includes the name and additional information for a user, 
together with the public key for that user and the expiry 
date of the certificate, all encrypted with the private key 
of the issuing authority. 

Another certificate is issued to that first issuing authority 
by a higher second authority, that certificate including 
the public key and additional information for that first 
issuing authority, and so on. 

This is a hierarchical authorization structure, with 
user A bringing signatures from persons/ entities Bi at 
several levels, until a level high enough is reached 
which is also part of the hierarchy of C, thus establishing 
the key transfer which is authorized by the conmon 
accepted third party. 

A great effort is put into ensuring the identity of a 
user t>efbre issuing a certificate, and in keeping the cer- 
tificates; however, a certificate once issued may be 
compromised during its k)ng lifetime, in which case it is 
difficult to replace it; the other party may not known that 
the key is compromised, and may not ask the center 
about the validity of the certificate (since it is within the 
validity period). 

The center has no control over the use of an issued 
certificate while the certificate is still valid, during the 
long period as set at issue time; only the l^lack list" at 
the center may give a warning to that effect, but that can 
only prevent communications. A reliatJe key. has» /et 
iDe exchanged between the parties, which is difficult in^ 
this case. 

Users of this system are encouraged to keep a local list 
of certificates, but this does not solve the abovemen- 
tioned problems, although it may reduce the workload 
on the center. 

The center in our invention, however, contains a 
single package for each user for any specific key; the 
same user may maintain several keys, for different uses 
or levels of security or under different pseudonyms or to 
be assigned each to a specific person holding a specific 
position. 

This key management method is beneficial in situations 
where a person changes position in a firm; the new per- 
son in the job will not be able to read mail addressed to 
the previous person, since the new person will be given 
a new key pair. PGP server and the other centers can- 
not cope with such a situation in an easy manner. 

In the present invention, the center checks the 
validity of the identification package by identifying the 
user, for example by his/her holding a valid credt card 
and/or calling from a specific location or phone number. 
This is a lower level of security, implemented by less 
severe user identification than the other methods, with 
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the express purpose of providing an easily accessilDle 
and usalDle method of key dissemination for the com- 
mon people; this level of security, however, is main- 
tained all the time with the presented method of easy 
issue of updated certificates at frequent times; thus, the 5 
present method is cverail more secure than other meth- 
ods, and it is also more easier to use. 

If required, a sut>set of the certificates may include 
a higher level of security, based on more stringent user 
identification for example. This can easily be integrated 10 
in the present invention. But for widespread use. even 
users in that more secure subset are likely to use certif- 
icates issued at the lower level, to communicate with the 
majority of the usera 

The center issues a certificate which is a digital file/ is 
document containing the name/pseudonym and details 
for a user, together with his/her public key and the issue 
date, all encrypted with the private key of the center. 
The center ensures there are no duplicate user 
names^eudonyms; new names can be added with rel- 20 
ative ease, but to change an existing name the center 
has to approve the transaction, thus achieving better 
user key protection. 

To ensure key validity in VeriSign, each package 
includes an expiration date. Each key is intended to be 25 
used for the whole period as planned, for example one 
year or two or five years. This is a weak link for other 
systems as well, for example RSA. As the key 
approaches its expiry date, the chance of its being com- 
promised increases, and more verification requests will 30 
be placed with the center. 

In our invention, however, the method is such that the 
identification package includes the issuing date, such 
that any other party can estimate the validity and relia- 
bility of the k&v' therein. Any key updateresutts in a hew 35, 
updated package, which is available to aii. 

PGP does not manage the key information, for 
example by checking the validity of the information or by 
preventing name duplications. 

If a key is compromised, it is practically impossible 40 
to remove it from the server; PGP and RSA only keep a 
second list (the bl^ list) of disat>led or canceled keys, 
and users are advised to check that list to ensure key 
reliability. 

A compromised key cannot be reliably removed since. 4s 
although that key can be physically deleted, the PGP 
server cannot prevent a package containing the same 
key from being reloaded by arryone; since an unknown 
number of users may hold copies of the signed package 
with that key, any one of th&n may rebad the key into so 
the PGP server. 

This has the disadvantage that the second list (the 
black list) will be under severe overload stress, since 
any user receiving a package near the expiry date will 
presumably want to dieck it for validity; any other user ss 
desiring to communicate sensitive information will prob- 
ably desire to check the key as well. 

In our center, however, there is no second, "black" 
list but only a reliable list of certificates. The owner of a 



key may update it at any time, so a conpromised key 
will not have severe repercussions- the user just 
changes it and receives an updated certificate with a 
new date embedded therein. The user presents that 
certificate to other parties to establish secure communi- 
cation therewith. There is no need to keep lists of certif- 
icates or keys, since an updated key is presented by the 
other party with each new communicatton transaction. 
All is needed Is an updated public key of the center sup- 
porting these transactions, to use in checking the pre- 
sented certificates. 

The other party to a communication transaction can 
always chose to check the key by accessing the center; 
the center issues updated certificates to anyone, attest- 
ing to the validity of the key for any desired user. There 
is no need to read a black list arKt therefore there is less 
load on the center. 

The user, while estat)!ishing an account with the 
center, is given a "cancellation code", that is an identifi- 
cation code for key changes or cancellation purposes. 
Only change request thus authorized will be honored, to 
prevent the f Oes from unauthorized changes. 

If the private key of the RSA or other similar centers 
is compromised, this results in a "catastrophe" accord- 
ing to their explanation, since anyone can impersonate 
other users. This is a "total loss" situation. Ail existing 
keys and identification packages must be updated, each 
with its multiple approvals. 

In our invention center, however, if the private key of 
the center is compromised, then a user should not 
accept an old certificate which may be affected by tiiat 
key, but should ask for a new certificate or access the 
center for an updated, reliable certificate. Thus it is eas- 
ier to recover from an occurrence of a compromised key 
of the center Even if someone stKiceecU in finding the^^^ 
private key of the center, they stiii cannot innpersonate 
the center, that is they cannot answer phone calls 
placed with the center Any user suspecting a certificate 
presented to him has the option of calling the center to 
get a reliable, updated version of the certificate which 
cannot be tampered with. Thus, the physical phone con- 
nections of the center provide a still higher level of secu- 
rity protection in our invention. 

The key distribution center in our invention func- 
tions like a phone information service, tiiat is service 1- 
411 in tiie U.S., or 144 in Israel. It provides an updated 
certificate including the user identification and his public 
key to anyone, that is to any anonymous caller. 
Unlike the phone information service, however, the key 
distrbution center in the preserrt invention allows for fre- 
quent changes in the certificates issued. 

In PGP, people are encouraged to keep local lists 
with keys for desired correspondents; tiiis is especially 
important since keys are to be authorized by third par- 
ties; in RSA, certificates are issued for a long period of 
use. 

No such local keys lists are needed in tiie center in our 
invention, since the center holds the nrrost recentiy 
updated key for each user, available to alt; each user 
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can hold a certificate of/ for himsetf. with a recent 
authortzation, to be presented to another party as 
required. 

Another user of public key encryption is the PC Fax 
program padoge offered by Microsoft under Windows, s 
This package facilitates the transmission of FAX mes- 
sages which may be optionally encrypted. Ttie FAX may 
be enaypted using a password or a digital key. which 
are conceptually the sama It uses a public key and a 
private k^. under the "Fax Security/Advance Security" 10 
menu. 

Again, they face the same problem of reliable key 
dissemination. Miaosoft advises to exchange diskettes 
containing the key. clearly a difficult to use method. 

A public key can be exchanged by communication is 
nrreans, and again there is the problem of identifying the 
other party- how one is to know tfiat the answering party 
is truly the person it claims to be. This lack of a practical 
solution attests to tiie need which Is filled with the 
present invention, of reliable key management and dis- 20 
semination using reliable certificates including the pub- 
lic key and information for each user. 
In the method described in the present invention, the 
problem faced by Microsoft is easily solved: Each party 
sends its certificate to the other, and a secure link is 25 
immediately established. TTie certificate exchange 
metiiod can be easily integrated in tiie fax communica- 
tion program provided by Microsoft. This is an indication 
of the nonobviousness of the present invention, which 
addresses a hitherto unsolved problem. 30 

Anotiier use of the present method of key dissemi- 
nation is to access remote databases or other informa- 
tion services on an irregular basis. Witii the proliferation 
of remote information services, it is practically impossi- 
ble for any single user to subscrtoe to all of tiiemy^-^^'^ 35." 
The subscription is necessary for the service provider to 
charge the user for the service as provided. 
It may be difficult or not economic for tiie irrfbnrtation 
providers as well to handle a multitude of users, each 
using the database to only a small extent. 40 
Usually the information is accessed from a remote site 
through data communication links like the Internet. 

In this application, tiie key management center acts 
as a user authorization party, by assigning to interested 
users a certificate which enak>les them to access a mul- 46 
titude of databases. 

The method includes tiie following steps: 

1 g. The key management center signs agreements 
with a multitude of Information providers, for the so 
providers to accept irregular users which are 
authorized by the center as attested by presenting 
a digital certificate issued by the center, and to 
charge the center for the services provkjed; 

ss 

2g. the center accepts and authorizes users to use 
the information services it has business relations 
with, including the steps of: 



A. a user accesses the center from a remote 
site; 

B. (optional) the user downloads from the 
center a software package to generate an 
encryption key pair and maybe a communica- 
tion routine for subsequent communication witii 
the center; 

C. the user identifies hin^elf/hersetf, for exam- 
ple by provicGng a name or pseudonym, and a 
credit card number, which may be encrypted 
using tiie center's public key or the key pair 
generated in (B) above; 

D. the center checks the validity of the credit 
card: and 

E. if tiie credit card is valid, ttien the user is 
issued a certificate which includes tiie informa- 
tion supplied by the user and additional 
optional inforniation like tiie issue date and 
center details, all encrypted with tiie private key 
of the center; and 

3g. the user thus authorized accesses the desired 
remote services, presents the certificate and is 
accepted as a user of that service. 

Otfier embodiments of the abovedetailed metiiod 
are possible, for example in (C) above the user may pro- 
vide not the explicit credit card number but an encrypted 
package containing that number, for example encrypted 
with tiie public key of tiie credit card issuer; then in (D) 
tiie center sends that pad<age to tiie card issuer which 
opens it using its private key and issues a ti'ansaction 
authorization to the center, while the center has no copy 
of tiie credit card itself. This metiiod may prevent tiie 
^rd nitmber being rr.i&u3rci or ^jetting i.uo inc; wroi% 
hands. 

The software package sent to a user in step 2g(B) 
above may be itself encrypted with the private key of the 
center, to protect from tampering witii that software 
whk:h is an important constituent of the atxsvedetailed 
method, since ttie encryption key has to be generated 
by a secure method. 

The service provider may charge directiy the user 
for the service as provkJed. using tiie credit card 
nunrtber if included in the certificate, or it may charge tiie 
center which Issued the certificate, which in turn may 
charge tiie end users. 

Another application of the method detailed at>ove is 
caller identification, with the sut>sequent communication 
being either encrypted or not. Caller identification is 
implemented by the exchange of certificates as detailed 
above. 

Caller identification may be beneficial In a wide vari- 
ety of applications, for example telephone, fax. cellu- 
lar/wireless phone, computer communications, remote 
control/ base station, access control. Present caller 
identification methods may identify a phone number 
belonging to a firm or organization, txit there is no iden- 
tifk:ation of a specific user or t^^hone witiiin ttiat 
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organization. This problem is solved with the present 
Invention. 

The user's encryption machine nrray include display 
means for displaying the other user identification infor- 
mation which is included in the received certif icata This s 
may include the real user's name or a nickname or a 
pseudonym, together with a company name arKi that 
person's position. This provides for easy and reliable 
identification of the parties involved in a remote commu- 
nication transaction. 10 

Since the certificate includes the issue date, its 
validity may be limited as desired, according to applica- 
tion and circumstances. For example, access control to 
a parking bt may be permitted with a nnonthly permit in 
one season, whereas a weekly permit may be required is 
in another season. 

These flexible time limits can be easily enforced with 
present computer technology implementing the method 
detailed in the present invention. 

The certificates issued according to the present 20 
inventbn may optionally include a list of authorizations 
or actions permitted for that user to do, or databases to 
access, or permitted operations in those databases. 
The authorizations may be based on the user track 
record or experience or credit rating or security/ identifi- 25 
cation level. 

This offers the benefit that each user is given access to 
facilities or is allowed to perform operations without the 
need to recheck their authorization each time they 
access the system. 30 

Claims 

1. A center (1 1) for safe key distribution to authorized 

, and/or unauthorized users (1,2,3). to facilitate 35 
establishing a safe communication link, including: 

(A) Computer means for storing a list of said 
users and their respective encryption keys, for 
retrieving data from arxl updating said list, for 40 
preparing digital messages for said users and 

for performing related control functions, 
according to pred^ined procedures and 
received digital messages from said users; and 

(B) Channel interlace means for connecting 45 
said connputer means in said center to said 
users through a communication channel to 
receive and transmit said digital messages with 
said users. 

50 

2. A center for safe key distribution as claimed in 
Claim 1, wherein each of said digital messages 
includes information identifying one of said users 
(1,2,3) and its corresponding said encryptbn key, 

all encrypted with the private key of said center 55 
according to a piiolic key encryption algorithm, with 
the other key being made public and known to said 
users and/or to the publia 



3. A center for safe key distribution as claimed in 
Claim 2, wherein each of said digital messages fur- 
ther includes information relating to the time of 
issue of said message. 

4. A center for safe key distribution as claimed in 
Claim 2. wherein each of said digital messages fur- 
ther Includes information relating to tiie authoriza- 
tion of said user to perform specific actions or 
operations. 

5. A method for facilitating occasional users to access 
a multitude of remote databases or other informa- 
tion services on an irregular basis with the support 
of an authorization center, including tiie steps of: 

(A) The key management center signs agree- 
ments with a multitude of information and/or 
services providers, for said providers to accept 
in-egular users which are authorized by said 
center as attested by presenting a digital certif- 
icate issued by said center, and to charge said 
center for the said information/services pro- 
vided; 

(B) said center accepts and authorizes said 
users to use tiie information services it has 
txjsiness relations witii, including the steps of: 

(1) a user accesses the center from a 
remote site; 

(2) the user identifies himself/herself, for 
example by providing a name or pseudo- 
nym, and a credit card number, which may 

' . ra bo i^riCTypted using tiie center's public' ks^^ 
(3; the center checks tiie validity of tiie 
aedit card; and 

(4) if the credit card Is valid, then the user 
is issued a certificate which includes the 
information supplied by the user and addi- 
tional optional information like tiie issue 
date and center details, all encrypted with 
the private key of the center; and 

(C) the user tiius autiiorized accesses tiie 
desired rennote services, presents the certifi- 
cate and is accepted as a user of that service. 

6. A metiiod for facilitating occasional users to access 
a multitude of remote databases or ottier informa- 
tion services as claimed in Claim 5. further includ- 
ing the steps: 

(1 a) (after step 1) the user downloads from the 
center a software package to generate an 
encryption key pair and maybe a communica- 
tion routine for subsequent communication with 
the center ; and 
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(4) (to replace step 4 above) if the credit card is 
valid, then the user is Issued a certificate which 
Includes the information supplied by the user 
and additional optional information like the 
issue date and center details, all encrypted s 
with the private key generated In step (1a) 
above. 

7. A key management device attaching to each one of 

a plurality of user's (1) encryption machines (21) for io 
the purpose of public key distribution, and includ- 
ing: 

(A) Channel interface means (41) for connect- 
ing with another user (2) or a key distribution is 
cerrter (11) through a communication channel 
(103), to transmit and/or receive digital mes- 
sages containing Information Identifying said 
user and said public key for said user; and 

(B) Key management controller means (314) 20 
for accepting the desired addressee or initiator 
details, for obtaining said key from said center 
through said channel interface, and for transfer- 
ring said key to said encryption 
machine.onnected to said channel Interface 25 
and to said encryption machine. 

8. A key managem^ device as claimed in Claim 7. 
further including cfisplay means for displaying the 
other user Identification information included in the 30 
received certificate, said identification information 
including the real user's name or a nickname or a 
pseudonym and/or a company name and/or said 
user's position in said company. 
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